Google works towards life without passwords

As our lives increasingly move to the cloud, the need for stronger passwords is more important than ever. But aside from avoiding easy-to-guess birthday/pet name passwords, what else can be done?

Google is now investigating alternatives to the password – like a USB-based card from Yubico that would sign you into your Google account when inserted into a device.

In a paper that will be published in IEEE Security & Privacy Magazine this month, Google vice president of security Eric Grosse and engineer Mayank Upadhyay explore the various ways that people might use passwords in the years to come.

Grosse and Upadhyay gave Wired a sneak peek at their paper, which includes the option to use a cryptographic card from Yubico to log into Google services like Gmail, Drive, or Chrome. As Wired noted, the Googlers had to make some changes to Chrome in order to get the cards to authenticate, but once that was in place, it did not require any additional installation – registration can be completed in one click.

“We’re focused on making authentication more secure, and yet easier to manage,” a Google spokesman said in a statement. “We believe experiments like these can help make login systems better.”

Those who work in industries that handle secure information – like banking – have long used authentication tokens to log into their work accounts. But consumer services like Google have stuck to the password approach for ease of use.

The paper also discussed options like a “smart ring” or a smartphone that could authorise a new PC with one tap. Ultimately, these devices could mean the end of passwords you’d have to remember. They acknowledged, however, that it can’t live inside a Google bubble.

“Others have tried similar approaches but achieved little success in the consumer world,” they said, according to Wired. “Although we recognize that our initiative will likewise remain speculative until we’ve proven large scale acceptance, we’re eager to test it with other websites.”

What happens if you lose your Google password gizmo? Yubico tweeted today that “many apps can bypass the YubiKey login if it is lost or issue a temporary token code.” Multiple tokens can also be used – “it depends on the application and security selected,” Yubico said.

The company maintained that the YubiKey is hard to lose since it fits on a keychain “like a key to your door.”